Debian Gitlab vulnerabilities
863 known vulnerabilities affecting debian/gitlab.
Total CVEs
863
CISA KEV
4
actively exploited
Public exploits
18
Exploited in wild
7
Severity breakdown
CRITICAL43HIGH158MEDIUM552LOW110
Vulnerabilities
Page 17 of 44
CVE-2022-3411P4MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-3411 [MEDIUM] CVE-2022-3411: gitlab - A lack of length validation in GitLab CE/EE affecting all versions from 12.4 bef...
A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2019-10110P4MEDIUMCVSS 6.5fixed in gitlab 11.8.6+dfsg-1 (sid)2019
CVE-2019-10110 [MEDIUM] CVE-2019-10110: gitlab - An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community ...
An Insecure Permissions issue (issue 1 of 3) was discovered in GitLab Community and Enterprise Edition before 11.7.8, 11.8.x before 11.8.4, and 11.9.x before 11.9.2. The "move issue" feature may allow a user to create projects under any namespace on any GitLab instance on which they hold credentials.
Scope: local
sid: resolved (fixed in 11.8.6+dfsg-1)
debian
CVE-2024-8266P3MEDIUMCVSS 4.4fixed in gitlab 17.6.5-1 (sid)2024
CVE-2024-8266 [MEDIUM] CVE-2024-8266: gitlab - An issue was discovered in GitLab CE/EE affecting all versions starting from 17....
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.6.0, which allows an attacker with maintainer role to trigger a pipeline as project owner under certain circumstances.
Scope: local
sid: resolved (fixed in 17.6.5-1)
debian
CVE-2023-6489P4MEDIUMCVSS 4.3fixed in gitlab 17.3.5-2 (sid)2023
CVE-2023-6489 [MEDIUM] CVE-2023-6489: gitlab - A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7....
A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2020-13320P4MEDIUMCVSS 6.5fixed in gitlab 13.2.3-2 (sid)2020
CVE-2020-13320 [MEDIUM] CVE-2020-13320: gitlab - An issue has been discovered in GitLab before version 12.10.13 that allowed a pr...
An issue has been discovered in GitLab before version 12.10.13 that allowed a project member with limited permissions to view the project security dashboard.
Scope: local
sid: resolved (fixed in 13.2.3-2)
debian
CVE-2020-10955P4MEDIUMCVSS 6.5fixed in gitlab 13.2.3-2 (sid)2020
CVE-2020-10955 [MEDIUM] CVE-2020-10955: gitlab - GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload...
GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders.
Scope: local
sid: resolved (fixed in 13.2.3-2)
debian
CVE-2019-7155P4MEDIUMCVSS 6.5fixed in gitlab 11.5.10+dfsg-1 (sid)2019
CVE-2019-7155 [MEDIUM] CVE-2019-7155: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, an...
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. A user retains their role within a project in a private group after being removed from the group, if their privileges within the project are different from the group.
Scope: local
sid: r
debian
CVE-2022-2455P4MEDIUMCVSS 6.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-2455 [MEDIUM] CVE-2022-2455: gitlab - A business logic issue in the handling of large repositories in all versions of ...
A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2023-6159P4MEDIUMCVSS 6.5fixed in gitlab 16.6.6-1 (sid)2023
CVE-2023-6159 [MEDIUM] CVE-2023-6159: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 pr...
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.
Scope: local
sid: resolved (fixed in 16.6.6-1)
debian
CVE-2024-1947P4MEDIUMCVSS 4.3fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-1947 [MEDIUM] CVE-2024-1947: gitlab - A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all...
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2020-10081P4MEDIUMCVSS 6.5fixed in gitlab 12.6.8-3 (sid)2020
CVE-2020-10081 [MEDIUM] CVE-2020-10081: gitlab - GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered ...
GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2019-18448P4MEDIUMCVSS 6.5fixed in gitlab 12.6.8-3 (sid)2019
CVE-2019-18448 [MEDIUM] CVE-2019-18448: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 12.4. ...
An issue was discovered in GitLab Community and Enterprise Edition before 12.4. It has Incorrect Access Control.
Scope: local
sid: resolved (fixed in 12.6.8-3)
debian
CVE-2018-19496P4MEDIUMCVSS 6.5fixed in gitlab 11.3.11+dfsg-1 (sid)2018
CVE-2018-19496 [MEDIUM] CVE-2018-19496: gitlab - An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x...
An issue was discovered in GitLab Community and Enterprise Edition 10.x and 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1. There is an incorrect access control vulnerability that permits a user with insufficient privileges to promote a project milestone to a group milestone.
Scope: local
sid: resolved (fixed in 11.3.11+dfsg-1)
debian
CVE-2019-6791P4MEDIUMCVSS 6.5fixed in gitlab 11.5.10+dfsg-1 (sid)2019
CVE-2019-6791 [MEDIUM] CVE-2019-6791: gitlab - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8...
An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.
Scope: local
sid: resolved (fixed in 11.5.10+dfsg-1)
debian
CVE-2024-1495P4MEDIUMCVSS 6.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-1495 [MEDIUM] CVE-2024-1495: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2024-4557P4MEDIUMCVSS 6.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-4557 [MEDIUM] CVE-2024-4557: gitlab - Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE ...
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2024-5423P4MEDIUMCVSS 6.5fixed in gitlab 17.3.5-2 (sid)2024
CVE-2024-5423 [MEDIUM] CVE-2024-5423: gitlab - Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE ...
Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline.
Scope: local
sid: resolved (fixed in 17.3.5-2)
debian
CVE-2024-9387P4MEDIUMCVSS 6.4fixed in gitlab 17.5.5-1 (sid)2024
CVE-2024-9387 [MEDIUM] CVE-2024-9387: gitlab - An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before ...
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
Scope: local
sid: resolved (fixed in 17.5.5-1)
debian
CVE-2022-3902P4MEDIUMCVSS 5.5fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-3902 [MEDIUM] CVE-2022-3902: gitlab - An issue has been discovered in GitLab affecting all versions starting from 9.3 ...
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks.
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
debian
CVE-2022-1148P4MEDIUMCVSS 5.3fixed in gitlab 15.10.8+ds1-2 (sid)2022
CVE-2022-1148 [MEDIUM] CVE-2022-1148: gitlab - Improper authorization in GitLab Pages included with GitLab CE/EE affecting all ...
Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites
Scope: local
sid: resolved (fixed in 15.
debian